* Steve Langasek <[EMAIL PROTECTED]> [080316 21:14]: > There is no requirement that we ship pristine tarballs as downloaded from > upstream.
But doing so without a good reason or in this case without any reason at all just makes no sense. I do not know why it is only in the DevRef but not in policy. (I was under the impression it also was in policy, without that it is a little less severe, but still a very bad sign). > > (What if the .orig.tar.gz was not only repacked but actually modified, > > would everyone have notices?) > > Why should that block it from inclusion in the archive? Do you suppose > there's something magical about all upstream tarballs that makes them > non-crap and instantly trustworthy by the ftp team? > Using the pristine tarballs makes it easier to blame certain problems on > upstream, but that's all. There is no instant thrustworthyness of upstream tarballs, but having differing tarballs makes weakens security for all involved parties. Having the same file everywhere means malicious code must be hidden good enough so that noone will find it early enough. It means users can just download the files and compare their checksums without having to look at the contents to know checking on of them is enough. I do not think that having one source non-pristine is a big problem that has to be fixed, as anything else would just cause confusion. But I think it is a problem that such a thing was able to get in. As it is not a policy rule broken, I fear less that noone has even looked at the file. But the alternative of someone looking, realising this mistake and just letting it in anyway is not very conforting either. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]